Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here ΞΞ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub ΞΞ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

While I am familiar with the concept of encryption and having spent a lot of time securing my electronic communications, some technicalities still escape me so forgive me for posting a seemingly ridiculous question.

Is there any way to have to split my data into two streams, one encrypted and one un-encrypted? I am running some applications on my computer that generate quite a bit of traffic but as the data is not sensitive, I wouldn't mind to keep it unencrypted while I would want everything else, e. g. browser traffic, to be encrypted. That way, I could reduce the load on the CS server a fair bit.

Typically in a corporate "road warrior" situation, the default route is the local Internet router and the corporate network has explicit route(s) set to go over the VPN. In the case of a VPN provider like CS, the default route goes over the VPN. If you know the destination IPs or IP ranges for your non-sensitive applications you could set them up as explicit routes to go over your normal network interface. What are these applications, just out of interest?

Thanks a bunch! I trade currencies for a living and the broker software, charting applications and news feeds do generate traffic that doesn’t need to be encrypted. I do have the IP addresses of the non-sensitive applications so how do I set them up as explicit routes to go over my normal network interface? I’m presume this has been done before so where would I start looking for instructions?

Hi there. So this is actually a very good topic, since I've being searching for this "Split tunneling" thing for some time now.Let me tell you what I've did.

I have a WDR3600 with "OpenWrt Attitude Adjustment 12.09" and since this router does 2 different wifi networks and frequencies I touth I make wlan1 for example go to the VPN and wlan0 go directly to my cable provider. With this if I wanted to connect to the VPN I've just change wifi network, it's that easy, at least in theory LOL

I did accomplish to get the openvpn client to connect to CS and after some iptables configuration everything connected fine and all computers connected to the router were also connected to CS.The next logical step was to make the split tunneling, like this:

- all eth0 to eth5 ports are to connect directly to wan0- wlan0 is to connect directly to wan0- wlan1 to to connect directly to tun0 to access CS- all communication coming from tun0 are to go to wlan1- tun0 is connected to wan0

After consulting several sites all over the "dark net" and some tor files about networking, I've found that it all depends with the configuration of iptables, and that was when the "shit hit the vents", I couldn't get it working and I actually had to reset my router several times

So with all of this, does anyone has several pointers on getting this to work?Or better, is there a IPtables guru here in the forum?

tlsbreak wrote:....It seems to me you need a rule like that for each non-vpn connection.

Actually that's not true, since you can make the iptables rule for the specific interface (wan, wlan, eth, br-lan, tun, tap) and them assign the non vpn connection to one of them, in theory I know that works, since a former college of mine did that exact same thing for our VPN work office in is home.

He no longer works there and I've lost all contact with him, I have to say that he though me a lot of what I know now.

parityboy wrote:@keoma

Which platform is this for: Linux, OS X or Windows?

Yeah, he actually didn't say, nevertheless the easiest way to go is with dd-wrt or openwrt since they are linux based with several interfaces attached and already programmed, I believed that with any Linux distro with IPtables we can create several Virtual Lan's and them put my theory working.

tlsbreak wrote:....It seems to me you need a rule like that for each non-vpn connection.

Actually that's not true, since you can make the iptables rule for the specific interface (wan, wlan, eth, br-lan, tun, tap) and them assign the non vpn connection to one of them, in theory I know that works, since a former college of mine did that exact same thing for our VPN work office in is home.

So you connect to dd-wrt and your iptables tell it to send this packet to wan, this one to tun? I'm trying to visualize how the iptable rules would look. I use pfSense and have similar needs as the OP. I set up a rule to pass traffic going to a non-vpn ip address through the gateway I want. I have to create a rule for each address though (at least I think I do ).

I've been told that dd-wrt is more secure than pfSense, so I'd kind of like to switch, but this iptable stuff makes my head explode.

I presume it is. PureVPN offers this as a feature, although I am unable to tell whether and how much this compromises security or whether this features works as advertised. They say this on their website:

"When it comes to offering rare and valuable features, nobody comes even close to PureVPN. Case in point: The Split-Tunneling feature. Every PureVPN account comes loaded with all possible options and features, including split-tunneling. Just open the VPN dialer on your device (and there are customized dialers for all devices) and access the built-in split-tunneling feature. Our split-tunneling feature easily allows you to ‘Split’ your data traffic and choose which traffic stream to ‘Tunnel’ while not tunneling the other. This way, you can conduct important activities with VPN protection while simultaneously enjoy unsecured but fast internet speed for unimportant tasks, like streaming. The best of both worlds, right?"

tlsbreak wrote:So you connect to dd-wrt and your iptables tell it to send this packet to wan, this one to tun? I'm trying to visualize how the iptable rules would look. I use pfSense and have similar needs as the OP. I set up a rule to pass traffic going to a non-vpn ip address through the gateway I want. I have to create a rule for each address though (at least I think I do ).

I've been told that dd-wrt is more secure than pfSense, so I'd kind of like to switch, but this iptable stuff makes my head explode.

So I must of not explained to you very well, I'm running OpenWrt router that as a linux based system with a lot a normal linux apps and everything, and that includes iptables.So in OpenWrt, Iptables comes installed from the start and normally if you don't want to do a lot a changes in a normal user connectivity it's a lot automatic configuration and you don't have to touch a thing. But since I'm running in a very special building network I actually need a lot a tweaking to getting this to work.

You do have to create a specific rule for a specific address if your running several in the same hardware port of your router, for example imagine that I have a network switch connected to port 1 of my router (eth0) and with that switch I connect 2 devices (dev1, dev2) both devices have, as normally should, different IP's address but the router port is the same, in that way you have to create a specific rule for each of the ipaddress and not a normal rule to forward something from eth0 to wan0 for example.

This mean that any ip that comes out of wan at port 80 is to be directed to the lan network ip 192.168.1.3 port 80, this is a specific rule to a specific port and ipaddress destination inside the lan, but imagine that you have only ONE IP running in eth0, that way you could direct any ip that comes out of port 80 from wan to eth0

This blog from another VPN provider did the trick... I had to change of lot of the parameters but everything worked out ok.

I'm now running all my hardwired computers (eth0, eth1, eth2, eth3, eth4) in Germany with CS. With this initial configuration from the other VPN provider with makes all devices connected with wlan0 and wlan1 to access the internet directly with my ISP's and all the hardwired with CS.

Here is the "Split Tunneling" that we wanted so much!!!

Next step:

1) Remove eth0/eth4 form the CS connection2) Remove wlan1 from directly connecting to my ISP's3) Adding only wlan0 to connected to CS4) Check the dns leak test, since with the wired computers are given my ISP's DNS, but it shouldn't since my main wan device as 5 CS dns servers included and not the ISP's ones5) Check this load average problem: Load Average 2.06, 1.10, 2.13 (normally in heavy duty connections like 20 torrents downloading and 10 uploading it doesn't go more them: Load Average 0.35, 0.20, 0.65)6) Check: When connecting drops I can't access internet (and that's actually what we want) but the connecting doesn't go back online)7) No internet connection when using wlan1, no changes made so for with the initial configuration8) Make a tutorial of all the necessary changes and put it here for all the community9) In a near future make a image with the necessary changes for the WDR3600 with OpenWrt

I really have to thank you guys that keept this topic alive, with that I got to do something that I've been wanting for some time now

I knew you were using openwrt but had dd-wrt in my mind. Thanks for the explanation and links they look great.

keoma wrote:I presume it is. PureVPN offers this as a feature, although I am unable to tell whether and how much this compromises security or whether this features works as advertised. They say this on their website:

"When it comes to offering rare and valuable features, nobody comes even close to PureVPN. Case in point: The Split-Tunneling feature. Every PureVPN account comes loaded with all possible options and features, including split-tunneling. Just open the VPN dialer on your device (and there are customized dialers for all devices) and access the built-in split-tunneling feature

Is there any chance that split tunnelling could be incorporated in the widget v. 1.10 with a simple option to specify 3 or 5 IP addresses that will bypass the VPN while all other traffic goes through the VPN? Judging by the above replies, it is technically possible and it would surely benefit everyone - users see a great improvement in performance while the CS servers will have a greatly reduced server load.

I'll talk to our devs about that, but I would have to wager that's a fairly non-trivial feature to implement to ensure security doesn't needlessly get compromised. I would expect that would be something for a major release, but I will defer to their boundless wisdom

I don't see why it would benefit everyone, I have no use or purpose or inclination to allow an IP to bypass CS. I use Windows 7 Firewall with Advanced Security to block svchost.exe (provides inactive internet till widget kicks in)... hence I would suggest a spinoff widget to handle this split tunnelling stuff. I think this is a "security vs convenience" issue. I consider this a flaw, not a feature (just my opinion).

"Heyyy... install this widget so you can access the internet anonymously, don't know who you are, kickass encryption etc... But we got this cool feature implemented that allows the world to see what you are up to".

Just because some things you do on the internet are not sensitive, doesn't mean that the product supplied by the VPN provider should allow for it... If this is catered to, then you mightaswell cater for torrent ports as well, or anything else that the honeypot companies provide... I think it goes against the mission statement if it is implemented in the widget (again, just my opinion).

If the user wants it, then the user should set it up on his/her own, keep it away from product injection/feature-warez...

I have to agree with @marzametal and @parityboy this is a potential security risk.

Nevertheless I do assume that this split tunneling thing for me is top notch, I have a seedbox running that I don't want to go into CS (I'm in the very limited country's that allow P2P), also everything Facebook, Twitter, local country TV, Internet Radio I really want to go with my normal provider, but with my OpenNIC's DNS servers (besides it's a little complicated to tell my wife that she isn't in Iceland or Germany when she post's to Facebook, and that did happen ).

Them there's all the "other things" that, are restricted to my activity both personal and professional, I do want to be "invisible" and don't want some "sniffer" robot in my IP I don't have Facebook, I don't use GAPP's, I do own a Android Phone but no Play Store (FDroid is a must!), just recently did I opened a Twitter account (for the sole propose of talking to CS LOL), I do not use Windows or iOS devices (Ubuntu all the way).

So it's a little complicated to explain but I do like this Split Tunneling thing but maybe in this kind of way like I did, with a dual band router and them 1 one wifi goes to home and the other goes to the world (we should use the AP Isolate mode, this way there is no communicating between wifi's or devices in the same wifi), this way you always know what to use and where you want to use it. Yeah I can easily install OpenVPN in all my devices and just run CS from there but i'm a practical guy that sometimes forgets simple things

I don’t get your point – if you don’t trust a particular IP address or website, then you could just not bypass CS, or not? You may agree that it is every user’s own choice and responsibility how much “security over convenience” he wants. I am not surfing porn sites or am connecting to torrent networks but am generating a lot of traffic with servers that are surely not set up as honeypots.

Anyway, I didn’t intend to make this a major issue and I’ll surely find a work-around on my own so I rest my case.

Split tunnelling is indeed useful. I use it in my VM: torrents and other communications go over the VPN, my NZB client uses SSL over the clearnet. My Usenet setup currently means there's no advantage to using it through a VPN (this will change soon though), therefore the additional CPU load from the dual encryption isn't worth it.

However, setting up routes and firewalls on Linux is easy. Windows I'm not so sure about.

Split tunnelling is indeed useful. I use it in my VM: torrents and other communications go over the VPN, my NZB client uses SSL over the clearnet. My Usenet setup currently means there's no advantage to using it through a VPN (this will change soon though), therefore the additional CPU load from the dual encryption isn't worth it.

However, setting up routes and firewalls on Linux is easy. Windows I'm not so sure about.

May I assume that you really know how to make good IPtables rules? If so, can I give you my network architecture and ask a little help setting some things up?

Old thread, but I didn't see any actual commands here, so I thought I'd add some

In this network setup, 192.168.1.1 is the gateway IP for your LAN.As an IP to exclude from the VPN, I'll use http://ifconfig.co/'s IP, which is currently 188.113.88.193.On Windows, after connecting to the VPN, visit http://ifconfig.co/ in your browser to verify that the VPN is on.Then, start a command prompt as Administrator and run:

That will tell windows to use the gateway 192.168.1.1 for the IP 188.113.88.193, instead of the default gateway which is currently the one set by OpenVPN.If needed, you can also use subnet masks such as 188.113.88.0/24 to instead exclude an entire C class of IPs.

Obviously, doing this presents a risk to your anonymity since the IP you're excluding will see your real IP.If you're connecting to that IP using any plaintext protocol, it could be monitored or hijacked.

I have no plan to add this type of split tunneling feature to the widget, since most people don't need it.The few that do can use the above commands.